https://bugzilla.kernel.org/show_bug.cgi?id=216151 --- Comment #2 from Zorro Lang (zlang@xxxxxxxxxx) --- Same panic on another machine (s390x): [10054.497558] run fstests generic/465 at 2022-06-19 16:09:21 [10055.731299] ================================================================= = [10055.731308] BUG: KASAN: use-after-free in _copy_to_iter+0x830/0x1030 [10055.731324] Write of size 16 at addr 0000000090ebd000 by task nfsd/45999 [10055.731328] [10055.731331] CPU: 1 PID: 45999 Comm: nfsd Kdump: loaded Not tainted 5.19.0-rc2 + #1 [10055.731335] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0) [10055.731338] Call Trace: [10055.731339] [<000000007bc24fda>] dump_stack_lvl+0xfa/0x150 [10055.731345] [<000000007bc173bc>] print_address_description.constprop.0+0x64/ 0x3a8 [10055.731351] [<000000007a98757e>] print_report+0xbe/0x230 [10055.731356] [<000000007a987ba6>] kasan_report+0xa6/0x1e0 [10055.731359] [<000000007a988fa4>] kasan_check_range+0x174/0x1c0 [10055.731362] [<000000007a989a38>] memcpy+0x58/0x90 [10055.731365] [<000000007affd0c0>] _copy_to_iter+0x830/0x1030 [10055.731369] [<000000007affddd0>] copy_page_to_iter+0x510/0xcb0 [10055.731372] [<000000007a7e986c>] filemap_read+0x52c/0x950 [10055.731378] [<001bffff80599042>] xfs_file_buffered_read+0x1c2/0x410 [xfs] [10055.731751] [<001bffff80599eba>] xfs_file_read_iter+0x28a/0x4c0 [xfs] [10055.731975] [<000000007aa1084a>] do_iter_readv_writev+0x2ca/0x4c0 [10055.731981] [<000000007aa1102a>] do_iter_read+0x23a/0x3a0 [10055.731984] [<001bffff80f58d30>] nfsd_readv+0x1e0/0x710 [nfsd] [10055.732070] [<001bffff80fa2f88>] nfsd4_encode_read_plus_data+0x3a8/0x770 [nf sd] [10055.732129] [<001bffff80fa5010>] nfsd4_encode_read_plus+0x3e0/0xaa0 [nfsd] [10055.732188] [<001bffff80fbc0ac>] nfsd4_encode_operation+0x21c/0xab0 [nfsd] [10055.732249] [<001bffff80f9ca7e>] nfsd4_proc_compound+0x125e/0x21a0 [nfsd] [10055.732307] [<001bffff80f441aa>] nfsd_dispatch+0x44a/0xc40 [nfsd] [10055.732362] [<001bffff80b8d00c>] svc_process_common+0x92c/0x1cd0 [sunrpc] [10055.732500] [<001bffff80b8e6ac>] svc_process+0x2fc/0x4c0 [sunrpc] [10055.732579] [<001bffff80f42f4e>] nfsd+0x31e/0x600 [nfsd] [10055.732634] [<000000007a2cc514>] kthread+0x2a4/0x360 [10055.732640] [<000000007a186a5a>] __ret_from_fork+0x8a/0xf0 [10055.732645] [<000000007bc5575a>] ret_from_fork+0xa/0x40 [10055.732650] 1 lock held by nfsd/45999: [10055.732653] #0: 000000009cc7fb38 (&sb->s_type->i_mutex_key#13){++++}-{3:3}, at: xfs_ilock+0x2fa/0x4e0 [xfs] [10055.732887] [10055.732888] Allocated by task 601543: [10055.732890] kasan_save_stack+0x34/0x60 [10055.732893] __kasan_slab_alloc+0x84/0xb0 [10055.732896] kmem_cache_alloc+0x1e2/0x3d0 [10055.732900] security_file_alloc+0x3a/0x150 [10055.732906] __alloc_file+0xc0/0x210 [10055.732908] alloc_empty_file+0x5c/0x140 [10055.732911] path_openat+0xf8/0x700 [10055.732914] do_filp_open+0x1b0/0x390 [10055.732917] do_sys_openat2+0x134/0x3c0 [10055.732920] do_sys_open+0xdc/0x120 [10055.732922] do_syscall+0x22c/0x330 [10055.732925] __do_syscall+0xce/0xf0 [10055.732928] system_call+0x82/0xb0 [10055.732931] [10055.732932] Freed by task 601543: [10055.732933] kasan_save_stack+0x34/0x60 [10055.732935] kasan_set_track+0x36/0x50 [10055.732937] kasan_set_free_info+0x34/0x60 [10055.732940] __kasan_slab_free+0x106/0x150 [10055.732942] slab_free_freelist_hook+0x148/0x230 [10055.732946] kmem_cache_free+0x132/0x370 [10055.732948] __fput+0x2b2/0x700 [10055.732950] task_work_run+0xf4/0x1b0 [10055.732952] exit_to_user_mode_prepare+0x286/0x290 [10055.732957] __do_syscall+0xce/0xf0 [10055.732959] system_call+0x82/0xb0 [10055.732962] [10055.732962] The buggy address belongs to the object at 0000000090ebd000 [10055.732962] which belongs to the cache lsm_file_cache of size 16 [10055.732965] The buggy address is located 0 bytes inside of [10055.732965] 16-byte region [0000000090ebd000, 0000000090ebd010) [10055.732968] [10055.732969] The buggy address belongs to the physical page: [10055.732970] page:00000000b4bd66d5 refcount:1 mapcount:0 mapping:0000000000000 000 index:0x0 pfn:0x90ebd [10055.732975] flags: 0x2000000000000200(slab|node=0|zone=1) [10055.732982] raw: 2000000000000200 0000000000000100 0000000000000122 000000008 024a200 [10055.732985] raw: 0000000000000000 0080010000000000 ffffffff00000001 000000000 0000000 [10055.732986] page dumped because: kasan: bad access detected [10055.732988] [10055.732989] Memory state around the buggy address: [10055.732990] 0000000090ebcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 [10055.732992] 0000000090ebcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 [10055.732994] >0000000090ebd000: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc f c [10055.732995] ^ [10055.732997] 0000000090ebd080: fa fb fc fc 00 00 fc fc fa fb fc fc 00 00 fc f c [10055.732999] 0000000090ebd100: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc f c [10055.733001] ================================================================= = [10055.733031] Disabling lock debugging due to kernel taint [10058.081326] systemd-udevd (601251) used greatest stack depth: 45056 bytes lef t [10058.575324] Unable to handle kernel pointer dereference in virtual kernel add ress space [10058.575333] Failing address: 0185c58585858000 TEID: 0185c58585858803 [10058.575337] Fault in home space mode while using kernel ASCE. [10058.575342] AS:000000007d39400b R2:0000000000000028 [10058.575389] Oops: 0038 ilc:3 [#1] SMP [10058.575423] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs fsc ache netfs rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd gr ace loop lcs ctcm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev v fio_iommu_type1 zcrypt_cex4 sunrpc vfio drm i2c_core fb fuse font drm_panel_orie ntation_quirks xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha 3_256_s390 qeth_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_m irror dm_region_hash dm_log dm_mod pkey zcrypt [10058.575531] CPU: 1 PID: 754 Comm: systemd-journal Kdump: loaded Tainted: G B 5.19.0-rc2+ #1 [10058.575540] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0) [10058.575547] Krnl PSW : 0704e00180000000 000000007a989e3c (qlist_free_all+0x9c /0x130) [10058.575572] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI: 0 EA:3 [10058.575579] Krnl GPRS: 000000000098b130 0005002100000001 0185c58585858580 000 000007c9111a8 [10058.575584] 0000000091a8b000 0005002100000000 0000000091a8b000 001 bff80018df5e8 [10058.575588] 0000000000000000 0000000091a8b000 0000000080082e00 616 1616161616161 [10058.575592] 000000007c3cd090 000000007ab19aa6 000000007a989e1e 001 bff80018df4e0 [10058.575602] Krnl Code: 000000007a989e2a: c43800d22e97 lgrl %r3,0000 00007c3cfb58 [10058.575602] 000000007a989e30: ec2b06b93a59 risbgn %r2,%r11 ,6,185,58 [10058.575602] #000000007a989e36: e32030000008 ag %r2,0(%r 3) [10058.575602] >000000007a989e3c: e33020080004 lg %r3,8(%r 2) [10058.575602] 000000007a989e42: a7310001 tmll %r3,1 [10058.575602] 000000007a989e46: a774003a brc 7,000000 007a989eba [10058.575602] 000000007a989e4a: e33020000004 lg %r3,0(%r 2) [10058.575602] 000000007a989e50: a7310200 tmll %r3,512 [10058.575635] Call Trace: [10058.575638] [<000000007a989e3c>] qlist_free_all+0x9c/0x130 [10058.575643] ([<000000007a989e1e>] qlist_free_all+0x7e/0x130) [10058.575647] [<000000007a98a45a>] kasan_quarantine_reduce+0x16a/0x1c0 [10058.575652] [<000000007a98720e>] __kasan_slab_alloc+0x9e/0xb0 [10058.575657] [<000000007a9810a4>] __kmalloc+0x214/0x440 [10058.575663] [<000000007ab19aa6>] inotify_handle_inode_event+0x1b6/0x7d0 [10058.575669] [<000000007ab0ee74>] fsnotify_handle_inode_event.isra.0+0x1c4/0x 2f0 [10058.575674] [<000000007ab0f490>] send_to_group+0x4f0/0x6c0 [10058.575678] [<000000007ab0fe14>] fsnotify+0x654/0xb30 [10058.575682] [<000000007ab10ca2>] __fsnotify_parent+0x372/0x780 [10058.575687] [<000000007aa7eb9e>] notify_change+0x96e/0xcf0 [10058.575693] [<000000007aa0a0c8>] do_truncate+0x108/0x190 [10058.575699] [<000000007aa0aafc>] do_sys_ftruncate+0x31c/0x600 [10058.575703] [<000000007a18da8c>] do_syscall+0x22c/0x330 [10058.575709] [<000000007bc2cb6e>] __do_syscall+0xce/0xf0 [10058.575716] [<000000007bc55722>] system_call+0x82/0xb0 [10058.575722] INFO: lockdep is turned off. [10058.575725] Last Breaking-Event-Address: [10058.575727] [<000000007a985860>] ___cache_free+0x150/0x2a0 [10058.575733] ---[ end trace 0000000000000000 ]--- [10058.590086] systemd[1]: systemd-journald.service: Scheduled restart job, rest art counter is at 2. [10058.590588] systemd[1]: Stopped Journal Service. [10058.590758] systemd[1]: systemd-journald.service: Consumed 4.770s CPU time. [10058.596950] systemd[1]: Starting Journal Service... [10058.634628] systemd-journald[601774]: File /run/log/journal/23dc967c665d48678 d6de8983973d399/system.journal corrupted or uncleanly shut down, renaming and re placing. [-- MARK -- Sun Jun 19 20:10:00 2022] [10148.825091] systemd[1]: systemd-journald.service: start operation timed out. Terminating. [10180.285606] Unable to handle kernel pointer dereference in virtual kernel add ress space [10180.285615] Failing address: 0185c58585858000 TEID: 0185c58585858803 [10180.285618] Fault in home space mode while using kernel ASCE. [10180.285624] AS:000000007d39400b R2:0000000000000028 [10180.285671] Oops: 0038 ilc:3 [#2] SMP [10180.285707] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs fsc ache netfs rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd gr ace loop lcs ctcm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev v fio_iommu_type1 zcrypt_cex4 sunrpc vfio drm i2c_core fb fuse font drm_panel_orie ntation_quirks xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha 3_256_s390 qeth_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_m irror dm_region_hash dm_log dm_mod pkey zcrypt [10180.285815] CPU: 1 PID: 908 Comm: gmain Kdump: loaded Tainted: G B D 5.19.0-rc2+ #1 [10180.285825] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0) [10180.285833] Krnl PSW : 0704e00180000000 000000007a989e3c (qlist_free_all+0x9c /0x130) [10180.285858] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI: 0 EA:3 [10180.285864] Krnl GPRS: 0000000000000001 001c000000000000 0185c58585858580 000 000007c9111a8 [10180.285869] 0000000000000000 000000007a3bf8a2 000000009315c000 001 bff8001f0fab8 [10180.285873] 0000000000000000 000000009315c000 000000008026f200 616 1616161616161 [10180.285877] 000000007c3cd090 000000007c2f9f98 000000007a989e1e 001 bff8001f0f9b0 [10180.285888] Krnl Code: 000000007a989e2a: c43800d22e97 lgrl %r3,0000 00007c3cfb58 [10180.285888] 000000007a989e30: ec2b06b93a59 risbgn %r2,%r11 ,6,185,58 [10180.285888] #000000007a989e36: e32030000008 ag %r2,0(%r 3) [10180.285888] >000000007a989e3c: e33020080004 lg %r3,8(%r 2) [10180.285888] 000000007a989e42: a7310001 tmll %r3,1 [10180.285888] 000000007a989e46: a774003a brc 7,000000 007a989eba [10180.285888] 000000007a989e4a: e33020000004 lg %r3,0(%r 2) [10180.285888] 000000007a989e50: a7310200 tmll %r3,512 [10180.285921] Call Trace: [10180.285924] [<000000007a989e3c>] qlist_free_all+0x9c/0x130 [10180.285929] ([<000000007a989e1e>] qlist_free_all+0x7e/0x130) [10180.285933] [<000000007a98a45a>] kasan_quarantine_reduce+0x16a/0x1c0 [10180.285938] [<000000007a98720e>] __kasan_slab_alloc+0x9e/0xb0 [10180.285943] [<000000007a982102>] kmem_cache_alloc+0x1e2/0x3d0 [10180.285949] [<000000007aa4e9d6>] getname_flags.part.0+0x56/0x430 [10180.285955] [<000000007aa5073a>] user_path_at_empty+0x3a/0x80 [10180.285959] [<000000007ab1b59a>] inotify_find_inode+0x3a/0x150 [10180.285966] [<000000007ab1c9de>] __s390x_sys_inotify_add_watch+0x17e/0x2c0 [10180.285971] [<000000007a18da8c>] do_syscall+0x22c/0x330 [10180.285978] [<000000007bc2cb6e>] __do_syscall+0xce/0xf0 [10180.285984] [<000000007bc55722>] system_call+0x82/0xb0 [10180.285990] INFO: lockdep is turned off. [10180.285993] Last Breaking-Event-Address: [10180.285995] [<000000007a985860>] ___cache_free+0x150/0x2a0 [10180.286001] ---[ end trace 0000000000000000 ]--- -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
